Lucene search

K
thnThe Hacker NewsTHN:5D0EA9D04F0969A933E334FA83A048DD
HistoryNov 28, 2023 - 4:54 a.m.

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

2023-11-2804:54:00
The Hacker News
thehackernews.com
70
north korean
macos malware
rustbucket
kandykorn
sentinelone
objcshellz
lazarus group
cyber attackers
swiftloader
crypto exchange
remote access trojan
dprk
mandiant
cyber landscape

AI Score

9.5

Confidence

High

EPSS

0.97

Percentile

99.8%

macOS Malware

The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed “mixing and matching” different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN.

The findings come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign.

RustBucket refers to an activity cluster linked to the Lazarus Group in which a backdoored version of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specially crafted lure document.

UPCOMING WEBINAR [

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

](<https://thehacker.news/social-engineering-psychology?source=inside&gt;)

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

The KANDYKORN campaign, on the other hand, refers to a malicious cyber operation in which blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated multi-stage attack sequence that led to the deployment of the eponymous full-featured memory resident remote access trojan.

The third piece of the attack puzzle is ObjCShellz, which Jamf Threat Labs revealed earlier this month as a later-stage payload that acts as a remote shell that executes shell commands sent from the attacker server.

macOS Malware

Further analysis of these campaigns by SentinelOne has now shown that the Lazarus Group is utilizing SwiftLoader to distribute KANDYKORN, corroborating a recent report from Google-owned Mandiant about how different hacker groups from North Korea are increasingly borrowing each other’s tactics and tools.

“The DPRK’s cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts,” Mandiant noted. “This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability.”

Cybersecurity

This includes the use of new variants of the SwiftLoader stager that purports to be an executable named EdoneViewer but, in reality, contacts an actor-controlled domain to likely retrieve the KANDYKORN RAT based on overlaps in infrastructure and the tactics employed.

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) implicated Andariel – a subgroup within Lazarus – to cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.